Chris Hoofnagle (Director, Information Privacy Programs, Berkeley Center for Law & Technology) and Jennifer Urban (Faculty Co-Director, Samuelson Law, Technology & Public Policy Clinic) are the co-authors of a new paper on mobile payments and privacy.
Their work — Mobile Payments: Consumer Benefits & New Privacy Concerns — collects preference data from more than a thousand U.S. adults to gauge consumer interest in mobile payment usage, plus a new wrinkle: many of their questions focus specifically on privacy issues.
What follows is a question-and-answer session between Hoofnagle, Urban and PYMNTS.com on the subject of privacy concerns and mobile payment adoption. Find out why consumers lack enthusiasm for mobile payments generally; what Facebook and PayPal are already doing to change the privacy landscape; and which California law might be used as a model for setting privacy boundaries in the future.
In “Mobile Payments: Consumer Benefits & New Privacy Concerns,” you asked roughly 1,200 Americans about their willingness to share private data with merchants at the point of sale. What did they say? Were their responses surprising?
First, there is a lack of enthusiasm about adopting mobile payments in general. We don’t think this is very surprising, because Americans are already well-served by other forms of payment. In countries with robust payment systems already in place, like the U.S., mobile still does not have a compelling benefit over the speed of cash or the flexibility of credit. This could certainly change over time, however. Mobile can position itself to be the system that works when others break. For instance, what if there were a successful DDOS against the major payment networks or ATMs? Or perhaps consumers will adopt mobile on the day that they’ve forgotten their wallet, or don’t have enough change to feed the parking meter. And if merchants like, they can give incentives to encourage mobile payments.
We also found high levels of resistance to sharing personal information at the point of sale. Divorced from some specific benefit, it doesn’t make sense to share this data. Of course, [this goes back to merchants and other providers creating incentives to encourage mobile payments. Providers are going to find ways to give individuals incentives to share this data, and then the focus will shift to how that data can be used, and the responsibility for protecting it.
There will also be some unforeseen risks. For instance, grocery store loyalty cards were presented as relevant for discounts, but what happens on the day that a company has learned that it has sold tainted food to its customers? Don’t you have to use the loyalty data to contact affected customers? Have data that you thought of as only a revenue-generating tool become a source of liability?
Do you think if people were asked whether they wanted to “sell” their private data rather than “share” it, responses would be different? Isn’t this essentially what merchants and networks are asking?
Yes, we think they would be more resistant. We deliberately used euphemisms such as “share” to prevent people from automatically rejecting these schemes.
You write quite a bit about Level 3 transaction data, how it’s used now, and how it might be used in the future. What are companies like PayPal and Facebook doing to access L3 data, and how might mobile payments expand the availability of that information?
PayPal, Google checkout (online), and Facebook capture level 3 data. This is a dramatic and potentially problematic change in the privacy of payment, because currently, everyone in a credit/charge transaction has an incomplete view of the exchange. As far as privacy is concerned, cash is the best, but credit/charge isn’t that bad because, with some exceptions, payment providers only get the location of payment rather than the Level 3 data. With mobile, we’re moving to a world where merchants will be able to identify you, have your contact information, know what you bought, and pass along this information to others. Under current financial privacy laws, the default requires the consumer to opt out of these arrangements to avoid this. And even if a consumer opts out, financial institutions can undo their opt outs by creating “joint marketing agreements.”
You note that consumers are much more willing to share an email address than, say, their home address or phone number. Should merchants and networks that want to create unique profiles for each of their customers focus on acquiring this data?
We suspect this is for a few reasons. Email addresses are much more manageable from the consumer’s perspective. Emails can be deleted or filtered outright. A marketer cannot make consumers’ emails ring at the dinner hour. We think the difference in willingness to share emails versus other kinds of information is a reflection of a desire for control over communications. (Though we note that there is also pretty substantial resistance to sharing email addresses.) And of course, the lack of willingness to share home address probably comes from similar fears to those that motivated Song-Beverly, a privacy law we discuss in the paper. Song-Beverly limited the ability of sales clerks to ask for personal information at the register, in part, because those clerks could decide to stalk customers.
You mention California’s Song-Beverly Credit Card Act as perhaps a good example of how mobile payments ought to be regulated. What do you think consumers would like to see done in the mobile payment space?
Song-Beverly attempted to make credit payment nearly as private as cash. It offers a valuable lesson: whether these systems offer users privacy is up to us as a society. The no privacy condition is not preordained; it is a choice we can take or avoid, through creating law that aligns business practices with consumer preferences. We would have to do more research in order to know in detail what consumers want, but our results seem to indicate that consumers are likely to reject payments systems that collect personal information and do not give consumers control.
Chris Jay Hoofnagle is director of the Berkeley Center for Law & Technology’s information privacy programs and senior fellow to the Samuelson Law, Technology & Public Policy Clinic. He is an expert in information privacy law. He teaches computer crime law and a seminar on the Federal Trade Commission and online advertising. Hoofnagle’s research focuses on the challenges in aligning consumer privacy preferences with commercial and government uses of personal information.
In collaboration with the National Science Foundation’s Team for Research In Ubiquitous Secure Technology (NSF-TRUST), Hoofnagle has led research teams studying the extent of tracking online. In a series of papers, this team has demonstrated that advertisers deliberately use obscure and difficult-to-block technologies to track internet users.
In the identity theft space, Hoofnagle’s research suggests that effective interventions could focus on credit grantors rather than impostors or victims. His work shows that economic incentives drive credit grantors to overlook indicia of fraud, leading to problems such as “synthetic identity theft,” where impostors fabricate entirely new identities that are eligible for credit.
In 2008, Hoofnagle started a consumer privacy research project. The reports flowing from this project focus upon youth attitudes towards privacy, and perceptions of online advertising. While regulators and businesses expect consumers to negotiate for privacy in the market, this work shows that consumers mistakenly believe that laws conform business practices to their privacy preferences by default. This work also shows that young internet users are similar to older cohorts in privacy attitudes and the desire for legal protections.
Prior to joining Berkeley Law, Hoofnagle was a non-residential fellow with Stanford Law School’s Center for Internet and Society. Prior to that, Hoofnagle focused on regulation of telemarketing, financial services privacy, and credit reporting at the Electronic Privacy Information Center in Washington, DC. While at EPIC, Hoofnagle called attention to the civil liberties risks posed by the “little brothers” –private-sector information firms. His work has helped elucidate the problem that while the US government has created privacy rules for itself, these are easily circumvented through access to private-sector data firms.
Hoofnagle co-chairs the annual Privacy Law Scholars Conference. He is licensed to practice in California and Washington, DC.
Jennifer M. Urban joined Berkeley Law in 2009 as an Assistant Clinical Professor of Law and Director of the Samuelson Law, Technology & Public Policy Clinic at the UC Berkeley School of Law. She comes to Berkeley Law from the University of Southern California’s Gould School of Law, where she founded and directed the USC Intellectual Property &Technology Law Clinic and taught classes on issues related to intellectual property, privacy and individual rights in a world of rapid technological and societal change.
At USC, Urban’s clinic students represented public interest clients in numerous cases and projects related to IP and technology law, including, for example: copyright legislative work on “orphan works;” consumer counseling work around web reputation and privacy; defensive patent licensing; and work with small filmmakers and other artists on fair use, licensing and free expression.
Urban’s recent scholarly work includes “Efficient Process or ‘Chilling Effects’? Takedown Notices Under Section 512 of the Digital Millennium Copyright Act,” in the Santa Clara Computer and High Technology Journal; and “Legal Uncertainty in Free and Open Source Software and the Political Response,” a chapter in The Politics of Open Source Adoption published by Social Science Research Council in an innovative collaborative format. She has filed numerous amicus briefs on behalf of public interest non-profit clients.
Joining the faculty at Berkeley Law is a homecoming for Urban. Prior to joining the USC faculty in 2004, she was the Samuelson Clinic’s first fellow, teaching as a lecturer and visiting professor at Berkeley Law. Prior to that, she was an attorney with the Venture Law Group in Silicon Valley. She graduated from Cornell University with a B.A. in biological science (concentration in neurobiology and behavior) and from Berkeley Law with a J.D. (intellectual property certificate). She was the Annual Review of Law and Technology editor while a student at Berkeley Law, and received the Berkeley Center for Law and Technology Distinguished Alumni Award in 2003.
We’re always on the lookout for opportunities to partner with innovators and disruptors.
Learn More